RCE Vulnerability Found in Nacos – Dynamic Naming and Configuration Service

Nacos RCE vulnerability

In the ever-evolving world of cloud-native applications and microservice platforms, Nacos has become the touchstone of simplicity and usability. Its cutting-edge, yet accessible design is instrumental for dynamic service discovery, configuration, and service management. Despite its robust functionality, a recent security vulnerability has unveiled a lurking threat within its fortified walls.

A deserialization flaw has been detected in the Raft protocol of Nacos, raising alarm bells in the cybersecurity community. This vulnerability exposes a critical oversight in the processing of specific Jraft requests by Nacos clusters. The unrestricted usage of Nacos hessian for deserialization forms a chink in the platform’s armor, providing potential attackers with the opportunity to execute malicious code (RCE vulnerability).

In light of this discovery, it becomes essential to understand the susceptibility of different versions of Nacos to this security flaw. Interestingly, in Nacos 1.x, the default settings fortify standalone mode systems against this vulnerability, thanks to the closure of port 7848. However, cluster mode is more vulnerable, lying at the mercy of potential attacks. On the other hand, Nacos 2.x indiscriminately opens port 7848 in both standalone and cluster modes, heightening the risk.

This vulnerability casts a particularly ominous shadow over the Jraft service on port 7848, posing the most significant threat.

Nacos RCE

Impacted versions include Nacos 1.4.0 to 1.4.5 and Nacos 2.0.0 to 2.2.2. Conversely, Nacos versions 1.4.6 and 2.2.3 mainly fix this RCE vulnerability caused by unbounded use of hessian during some Jraft request processing.

In response to this pressing issue, a clarion call is being made to all affected users to promptly implement protective measures. Swift action is required to mitigate the potential damages. Fortunately, an official patch addressing this vulnerability has been released. Users are strongly urged to upgrade to the latest, secured versions at the earliest for enhanced protection.

Interestingly, this vulnerability predominantly affects port 7848, the default communication channel for the Nacos cluster inter-raft protocol. Since this port doesn’t typically handle client requests, the threat can be curtailed by restricting access from outside the Nacos clusters, particularly by limiting or entirely blocking exposure of the port in older versions.